Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware doctor


  • This topic is locked This topic is locked
12 replies to this topic

#1 motley

motley

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 28 August 2010 - 06:22 PM

Don't know where I got it but would appreciate it being gone. Thanks ahead of time!


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 15:32:34.73 on Sat 08/28/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.45 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {8eab99c1-f9ec-4b64-a4ba-d9bcae8779c2} - My Web Search Bar BHO
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
uRunOnce: [NeroHomeFirstStart] "c:\program files\common files\ahead\lib\NMFirstStart.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wxnreacsmo.tmp] "c:\docume~1\owner\locals~1\temp\wxnreacsmo.tmp"
mRun: [trawgd327uhf838jdfdsfdfds] c:\windows\setup.exe
mRun: [fyfuvsjq] c:\documents and settings\owner\local settings\application data\autuoqtrh\ymcfrnxshdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-us\bin\WindowsSearch.exe
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\owner\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.163.182,93.188.166.182
TCP: {08BB82B0-61BD-4B4B-A988-E6BC6F6A598C} = 93.188.163.182,93.188.166.182
TCP: {FC0D4651-A530-4F21-868B-9F149B81D458} = 93.188.163.182,93.188.166.182
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\u6h0gm8f.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2007-3-28 44816]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-21 200192]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-3-28 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-3-28 60816]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-5 38224]

=============== Created Last 30 ================

2010-08-28 22:21:28 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-28 22:03:01 2838 ----a-w- c:\windows\evofunanerulat.dll
2010-08-28 21:38:57 2838 ----a-w- c:\windows\evofunaner.dll
2010-08-27 12:46:43 2838 ----a-w- c:\windows\amasafuz.dll
2010-08-27 12:44:00 20836 ---h--w- c:\windows\winamp.exe
2010-08-27 12:43:58 20836 ---h--w- c:\windows\wininst.exe
2010-08-27 12:43:55 20836 ---h--w- c:\windows\mdm.exe
2010-08-27 12:43:45 785920 ----a-w- c:\windows\system32\drivers\fxhqwl.sys
2010-08-27 12:43:41 194048 ----a-w- c:\windows\Nnetua.exe
2010-08-27 12:42:56 60004 ---h--w- c:\windows\win32.exe
2010-08-27 12:42:54 20836 ---h--w- c:\windows\user.exe
2010-08-27 12:42:53 60004 ---h--w- c:\windows\avp32.exe
2010-08-27 12:42:36 60004 ---h--w- c:\windows\setup.exe
2010-08-27 12:42:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-27 12:42:17 30000 ----a-w- c:\windows\system32\ouzuvpr60.dll
2010-08-27 12:42:04 30000 ----a-w- c:\windows\system32\as5ulc0lg.dll
2010-08-27 12:42:02 30000 ----a-w- c:\windows\system32\pgar95.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\uvg11o4sa.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\cwxcqjw9n6.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\a78ze81x.dll

==================== Find3M ====================

2009-12-13 03:54:30 11270 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-06 01:46:03 32768 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-01-06 04:06:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122820100104\index.dat
2010-01-06 04:06:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat
2010-01-08 00:08:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010720100108\index.dat

============= FINISH: 15:34:41.67 ===============




DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 15:32:34.73 on Sat 08/28/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.45 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {8eab99c1-f9ec-4b64-a4ba-d9bcae8779c2} - My Web Search Bar BHO
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
uRunOnce: [NeroHomeFirstStart] "c:\program files\common files\ahead\lib\NMFirstStart.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wxnreacsmo.tmp] "c:\docume~1\owner\locals~1\temp\wxnreacsmo.tmp"
mRun: [trawgd327uhf838jdfdsfdfds] c:\windows\setup.exe
mRun: [fyfuvsjq] c:\documents and settings\owner\local settings\application data\autuoqtrh\ymcfrnxshdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-us\bin\WindowsSearch.exe
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\owner\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.163.182,93.188.166.182
TCP: {08BB82B0-61BD-4B4B-A988-E6BC6F6A598C} = 93.188.163.182,93.188.166.182
TCP: {FC0D4651-A530-4F21-868B-9F149B81D458} = 93.188.163.182,93.188.166.182
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\u6h0gm8f.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2007-3-28 44816]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-21 200192]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-3-28 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-3-28 60816]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-5 38224]

=============== Created Last 30 ================

2010-08-28 22:21:28 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-28 22:03:01 2838 ----a-w- c:\windows\evofunanerulat.dll
2010-08-28 21:38:57 2838 ----a-w- c:\windows\evofunaner.dll
2010-08-27 12:46:43 2838 ----a-w- c:\windows\amasafuz.dll
2010-08-27 12:44:00 20836 ---h--w- c:\windows\winamp.exe
2010-08-27 12:43:58 20836 ---h--w- c:\windows\wininst.exe
2010-08-27 12:43:55 20836 ---h--w- c:\windows\mdm.exe
2010-08-27 12:43:45 785920 ----a-w- c:\windows\system32\drivers\fxhqwl.sys
2010-08-27 12:43:41 194048 ----a-w- c:\windows\Nnetua.exe
2010-08-27 12:42:56 60004 ---h--w- c:\windows\win32.exe
2010-08-27 12:42:54 20836 ---h--w- c:\windows\user.exe
2010-08-27 12:42:53 60004 ---h--w- c:\windows\avp32.exe
2010-08-27 12:42:36 60004 ---h--w- c:\windows\setup.exe
2010-08-27 12:42:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-27 12:42:17 30000 ----a-w- c:\windows\system32\ouzuvpr60.dll
2010-08-27 12:42:04 30000 ----a-w- c:\windows\system32\as5ulc0lg.dll
2010-08-27 12:42:02 30000 ----a-w- c:\windows\system32\pgar95.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\uvg11o4sa.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\cwxcqjw9n6.dll
2010-08-27 12:42:00 30000 ----a-w- c:\windows\system32\a78ze81x.dll

==================== Find3M ====================

2009-12-13 03:54:30 11270 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-06 01:46:03 32768 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-01-06 04:06:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122820100104\index.dat
2010-01-06 04:06:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat
2010-01-08 00:08:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010720100108\index.dat

============= FINISH: 15:34:41.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 04 September 2010 - 05:55 AM

Hello motley, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you
have since resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check all of the boxes. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • MBAM log
  • RKUnHooker report
  • OTL.txt
  • Extra.txt

Thanks

unite.jpg


#3 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 04 September 2010 - 04:02 PM

i'm having problems with maleware bytes updating so and the unhooker says theres a driver error so until I get those worked out I'll just post the OTL for now ;)

OTL logfile created on: 9/4/2010 1:39:03 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

222.00 Mb Total Physical Memory | 16.00 Mb Available Physical Memory | 7.00% Memory free
545.00 Mb Paging File | 342.00 Mb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 14.69 Gb Free Space | 39.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CUSTOMER-631DB4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/04 13:37:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
PRC - [2010/04/17 10:30:35 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/04 13:37:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/08 15:04:25 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Disabled | Stopped] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Disabled | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/05/08 04:24:54 | 000,069,632 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2006/04/27 17:35:16 | 000,053,337 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/04/27 17:27:06 | 000,049,241 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/04/27 17:16:28 | 000,069,718 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys -- (pciinfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2007/04/09 09:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 09:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 09:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2006/02/20 19:17:40 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2005/09/18 18:02:52 | 000,005,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)
DRV - [2005/04/11 06:33:52 | 001,035,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/10 02:41:52 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/03/03 12:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/02/18 08:42:02 | 000,349,696 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/02/18 08:41:18 | 000,038,016 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/02/02 04:58:58 | 000,191,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/01/17 18:46:55 | 000,044,816 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fd_dbus.sys -- (fd_dbus) FutureDial USB Composite Device driver (WDM)
DRV - [2005/01/17 18:46:46 | 000,077,104 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatmdm.sys -- (lgatmdm)
DRV - [2005/01/17 18:46:46 | 000,060,816 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatserd.sys -- (lgatserd) LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM)
DRV - [2004/12/15 08:18:30 | 000,200,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2004/12/15 08:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 08:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/08/03 15:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/04/14 07:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2003/06/06 11:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\S-1-5-21-1960408961-1123561945-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/23 05:37:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/23 05:37:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox 3.1 Beta 3\components [2010/07/09 05:22:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.1 Beta 3\plugins [2010/06/23 05:37:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/06/23 05:37:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/28 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/08/28 15:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u6h0gm8f.default\extensions
[2008/07/04 08:06:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 10:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2010/08/22 05:47:08 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/01/25 19:12:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
O2 - BHO: (My Web Search Bar BHO) - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - Reg Error: Value error. File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - Reg Error: Value error. File not found
O2 - BHO: (MSN Search Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (MSN Search Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1960408961-1123561945-839522115-500..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (Nero AG)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1960408961-1123561945-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk ()
O9 - Extra 'Tools' menuitem : Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk ()
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk ()
O9 - Extra 'Tools' menuitem : AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.182,93.188.166.182
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) - C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) - C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/21 17:21:03 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "ose"
MsConfig - Services: "MpfService"
MsConfig - Services: "MCVSRte"
MsConfig - Services: "mcupdmgr.exe"
MsConfig - Services: "McTskshd.exe"
MsConfig - Services: "McShield"
MsConfig - Services: "McDetect.exe"
MsConfig - Services: "iPodService"
MsConfig - Services: "hpqwmi"
MsConfig - Services: "Ati HotKey Poller"
MsConfig - Services: "WebrootSpySweeperService"
MsConfig - Services: "bgsvcgen"
MsConfig - Services: "WLSetupSvc"
MsConfig - Services: "Viewpoint Manager Service"
MsConfig - Services: "usnjsvc"
MsConfig - Services: "SSScsiSV"
MsConfig - Services: "SPTISRV"
MsConfig - Services: "PACSPTISVR"
MsConfig - Services: "MSCSPTISRV"
MsConfig - Services: "IDriverT"
MsConfig - Services: "FLEXnet Licensing Service"
MsConfig - Services: "NMIndexingService"
MsConfig - Services: "NBService"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "iPod Service"
MsConfig - Services: "Bonjour Service"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk - C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe - (Matsubleepa Electric Industrial Co., Ltd.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Antimalware Doctor.lnk - C:\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\newsecureapp70700.exe - (MS)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AdobeCS4ServiceManager - hkey= - key= - C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Cpqset - hkey= - key= - C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
MsConfig - StartUpReg: eabconfg.cpl - hkey= - key= - C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
MsConfig - StartUpReg: fyfuvsjq - hkey= - key= - C:\Documents and Settings\Owner\Local Settings\Application Data\autuoqtrh\ymcfrnxshdw.exe ()
MsConfig - StartUpReg: H/PC Connection Agent - hkey= - key= - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
MsConfig - StartUpReg: hpWirelessAssistant - hkey= - key= - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: hse897ifdsjf98u3heuidhfdd - hkey= - key= - C:\Documents and Settings\Owner\Local Settings\Temp\z0vodoi2.exe ()
MsConfig - StartUpReg: IMJPMIG8.1 - hkey= - key= - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: ISW - hkey= - key= - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
MsConfig - StartUpReg: Malwarebytes Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: Microsoft Works Update Detection - hkey= - key= - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
MsConfig - StartUpReg: newsecureapp70700.exe - hkey= - key= - C:\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\newsecureapp70700.exe (MS)
MsConfig - StartUpReg: PeerGuardian - hkey= - key= - C:\Program Files\PeerGuardian2\pg2.exe (Methlabs)
MsConfig - StartUpReg: PHIME2002A - hkey= - key= - File not found
MsConfig - StartUpReg: PHIME2002ASync - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: Qyinobuni - hkey= - key= - C:\WINDOWS\mse1ENeM.DLL (MaresWEB)
MsConfig - StartUpReg: SsAAD.exe - hkey= - key= - C:\Program Files\Sony\SonicStage\SSAAD.exe ()
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: SynTPEnh - hkey= - key= - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
MsConfig - StartUpReg: SynTPLpr - hkey= - key= - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: trawgd327uhf838jdfdsfdfds - hkey= - key= - C:\WINDOWS\setup.exe ()
MsConfig - StartUpReg: wxnreacsmo.tmp - hkey= - key= - C:\Documents and Settings\Owner\Local Settings\Temp\wxnreacsmo.tmp ()
MsConfig - StartUpReg: XBV6RD5SZF - hkey= - key= - C:\Documents and Settings\Owner\Local Settings\Temp\Nvv.exe (ApexDC++ Development Team)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 1

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/08/28 15:29:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2010/08/28 15:21:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/08/28 15:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/08/28 15:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2010/08/28 15:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/08/28 15:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/08/28 15:11:03 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/08/28 15:10:46 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/08/28 15:10:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/08/28 15:10:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/08/28 15:10:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/08/28 15:10:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/08/28 15:10:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/08/28 15:10:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/08/28 15:10:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/08/28 15:10:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/08/28 15:10:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/08/28 15:10:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/08/28 15:10:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/08/28 15:10:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/08/28 15:10:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2010/08/27 05:43:41 | 000,194,048 | ---- | C] (ApexDC++ Development Team) -- C:\WINDOWS\Nnetua.exe
[2010/08/27 05:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update

========== Files - Modified Within 30 Days ==========

[2010/09/04 13:49:42 | 000,785,920 | ---- | M] () -- C:\WINDOWS\System32\drivers\fxhqwl.sys
[2010/09/04 13:37:17 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/04 13:36:14 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE(2).EXE
[2010/09/04 13:29:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/04 13:28:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/31 17:18:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/31 17:18:35 | 004,240,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/08/28 16:28:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/28 16:27:57 | 000,002,838 | ---- | M] () -- C:\WINDOWS\emirijan.dll
[2010/08/28 16:27:13 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/08/28 16:25:51 | 000,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/28 16:25:51 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/28 16:25:45 | 000,000,259 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/28 16:20:35 | 000,002,508 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
[2010/08/28 15:36:25 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2010/08/28 15:03:02 | 000,002,838 | ---- | M] () -- C:\WINDOWS\evofunanerulat.dll
[2010/08/28 14:38:57 | 000,002,838 | ---- | M] () -- C:\WINDOWS\evofunaner.dll
[2010/08/27 05:46:44 | 000,002,838 | ---- | M] () -- C:\WINDOWS\amasafuz.dll
[2010/08/27 05:44:00 | 000,020,836 | -H-- | M] () -- C:\WINDOWS\winamp.exe
[2010/08/27 05:43:58 | 000,020,836 | -H-- | M] () -- C:\WINDOWS\wininst.exe
[2010/08/27 05:43:55 | 000,020,836 | -H-- | M] () -- C:\WINDOWS\mdm.exe
[2010/08/27 05:42:54 | 000,020,836 | -H-- | M] () -- C:\WINDOWS\user.exe
[2010/08/27 05:42:53 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\avp32.exe
[2010/08/27 05:42:39 | 000,194,048 | ---- | M] (ApexDC++ Development Team) -- C:\WINDOWS\Nnetua.exe
[2010/08/27 05:42:37 | 000,060,004 | -H-- | M] () -- C:\WINDOWS\setup.exe
[2010/08/27 05:42:17 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\ouzuvpr60.dll
[2010/08/27 05:42:04 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\as5ulc0lg.dll
[2010/08/27 05:42:03 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\pgar95.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\uvg11o4sa.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\cwxcqjw9n6.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\a78ze81x.dll
[2010/08/21 19:38:43 | 000,000,182 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

========== Files Created - No Company Name ==========

[2010/09/04 13:37:14 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE(2).EXE
[2010/08/28 16:27:57 | 000,002,838 | ---- | C] () -- C:\WINDOWS\emirijan.dll
[2010/08/28 16:20:35 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
[2010/08/28 15:10:52 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/28 15:10:47 | 005,117,051 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Star-sd2mu.ace
[2010/08/28 15:10:47 | 000,040,353 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Star-sd2mu.jpg
[2010/08/28 15:10:47 | 000,002,049 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\StArShIp.nfo
[2010/08/28 15:10:47 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\MySpaceIM.lnk
[2010/08/28 15:10:47 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\file_id.diz
[2010/08/28 15:10:45 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/08/28 15:10:45 | 000,102,400 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/08/28 15:03:01 | 000,002,838 | ---- | C] () -- C:\WINDOWS\evofunanerulat.dll
[2010/08/28 14:38:57 | 000,002,838 | ---- | C] () -- C:\WINDOWS\evofunaner.dll
[2010/08/27 05:46:43 | 000,002,838 | ---- | C] () -- C:\WINDOWS\amasafuz.dll
[2010/08/27 05:44:00 | 000,020,836 | -H-- | C] () -- C:\WINDOWS\winamp.exe
[2010/08/27 05:43:58 | 000,020,836 | -H-- | C] () -- C:\WINDOWS\wininst.exe
[2010/08/27 05:43:55 | 000,020,836 | -H-- | C] () -- C:\WINDOWS\mdm.exe
[2010/08/27 05:43:45 | 000,785,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fxhqwl.sys
[2010/08/27 05:43:24 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/08/27 05:42:54 | 000,020,836 | -H-- | C] () -- C:\WINDOWS\user.exe
[2010/08/27 05:42:53 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\avp32.exe
[2010/08/27 05:42:36 | 000,060,004 | -H-- | C] () -- C:\WINDOWS\setup.exe
[2010/08/27 05:42:17 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\ouzuvpr60.dll
[2010/08/27 05:42:04 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\as5ulc0lg.dll
[2010/08/27 05:42:02 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\pgar95.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\uvg11o4sa.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\cwxcqjw9n6.dll
[2010/08/27 05:42:00 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\a78ze81x.dll
[2010/01/28 20:49:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\muveeapp.INI
[2009/12/13 07:25:32 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AVIConverter.INI
[2009/12/12 20:54:29 | 000,011,270 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/12/12 15:27:01 | 002,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2009/12/12 15:27:01 | 000,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2009/12/12 15:27:01 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2009/12/12 15:27:01 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2009/12/06 09:59:35 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/05/02 07:16:25 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/02/13 12:56:48 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/12/27 17:07:32 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2007/05/25 10:04:07 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2006/12/01 21:03:12 | 000,058,904 | ---- | C] () -- C:\WINDOWS\System32\sysfolderazipcnt.dll
[2006/12/01 21:03:12 | 000,058,904 | ---- | C] () -- C:\WINDOWS\System32\azipcontmn.dll
[2006/10/04 10:23:33 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2006/04/19 10:44:17 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/04/19 10:44:17 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/12/29 13:26:45 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/11/11 00:46:11 | 000,000,182 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/09/09 18:11:47 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2005/08/21 17:36:00 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/21 17:36:00 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/21 17:36:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/21 17:36:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/21 17:36:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/21 17:36:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/21 17:16:26 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/04/27 11:38:00 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/04/27 11:37:49 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2005/02/12 01:33:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/09/01 08:49:17 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[1998/08/16 05:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/08/21 09:02:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/21 09:02:23 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/21 09:02:23 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51
< End of report >
OTL Extras logfile created on: 9/4/2010 1:39:03 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

222.00 Mb Total Physical Memory | 16.00 Mb Available Physical Memory | 7.00% Memory free
545.00 Mb Paging File | 342.00 Mb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 14.69 Gb Free Space | 39.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CUSTOMER-631DB4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\BitPim\bitpim.exe" = C:\Program Files\BitPim\bitpim.exe:*:Enabled:View and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones. -- (http://www.bitpim.org)
"C:\Program Files\utorrent\utorrent.exe" = C:\Program Files\utorrent\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe" = C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000000-785F-478A-BAA2-87F1A136068C}" = MSN Encarta Plus Support Files
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"{3643EF5F-D28D-4B25-9FA1-8859FC303710}" = Coby Media Manager
"{3819891A-030B-4a4e-98ED-B28A649E48AB}" = HP Deskjet 3900 series
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42F6BED9-41DD-40F1-85A8-8E0350493626}" = HPDeskjet3900Series
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A2
"{476B875F-7809-49B6-A6EC-1B1BB14D7D9E}" = PC Sync
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AF8A676-7D24-431E-9B90-BCA8C5C7F1B4}" = VideoCam Suite
"{4F1CECBC-670F-4daa-81D6-944B12450917}" = DIGReqEx
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{534AA552-E1F1-4965-B2AA-FBDEB0730D60}" = muvee autoProducer 4.0 - SE
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6C677A88-ACCE-41F6-ADFA-E48C30718CEB}" = Tiger Woods PGA TOUR 2002
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{759524D5-08C9-4E88-8EB3-8D6ECB226C52}" = HP Image Zone Express
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7B694704-8D6C-4833-99E1-311A9788F61F}" = PDF Manual NW-S200 Series
"{7D1DCBBA-F6F5-42B4-B90B-F04ACE4DFD6C}" = MSN Search Toolbar
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9EDF1A5D-D8E0-413E-9782-75DD4A8C831B}" = VideoCam Suite 1.0
"{9F7FC79B-3059-4264-9450-39EB368E3220}" = Microsoft Picture It! Library 9
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 4.0
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B3C9A441-C34D-40F3-9D3B-00EDDDAC74F1}" = Garmin Communicator Plugin
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C769B501-2BE8-46ed-9E69-118F008A0917}" = DIGOpt
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CD264503-9924-44CC-8FF9-DD7CB779EA1B}" = Garmin c320 City Navigator North America NT v8
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.10 B2
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Premium
"{D1E8DC27-C3CD-4DD8-B37B-D26D7D7CFCBD}" = HP User Guides 0002
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0900}" = Microsoft Picture It! Express 9
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 0.9.12
"{FAF88B432344413595BB2DED98385684}" = DivX User Guide
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Absolute Poker" = Absolute Poker
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C" = Data Fax SoftModem with SmartCP
"Desktop Weather by The Weather Channel" = Desktop Weather by The Weather Channel
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.0
"HPExtendedCapabilities" = HP Extended Capabilities 5.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
"InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
"InstallShield_{476B875F-7809-49B6-A6EC-1B1BB14D7D9E}" = LG PC Sync
"InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = Texas Instruments PCIxx21/x515 drivers.
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.4.4 (Basic)
"LG USB Drivers" = LG USB Drivers
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2005b" = Microsoft Money 2005
"Mozilla Firefox (3.0.7)" = Mozilla Firefox (3.0.7)
"Mozilla Firefox (3.6.4)" = Mozilla Firefox (3.6.4)
"Mozilla Thunderbird (3.0.1)" = Mozilla Thunderbird (3.0.1)
"MP3 Cutter Plus_is1" = MP3 Cutter Plus 1.0
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenMG HotFix4.5-06-05-10-01" = OpenMG Limited Patch 4.5-06-05-12-01
"Paint Shop Pro 6" = Paint Shop Pro 6.02 CD
"PeerGuardian_is1" = PeerGuardian 2.0
"PictureIt_POD_v9" = Microsoft Picture It! Library 9
"PictureIt_v9" = Microsoft Picture It! Express 9
"QuickLink Mobile" = QuickLink Mobile
"RarZilla Free Unrar 2.52" = RarZilla Free Unrar 2.52
"RealPlayer 6.0" = RealPlayer
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TextTwist Deluxe" = TextTwist Deluxe
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager
"YU2010_is1" = Your Uninstaller! 2010

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/18/2008 10:18:28 PM | Computer Name = CUSTOMER-631DB4 | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Office Excel Viewer 2003 -- Error 25090. Office
Setup encountered a problem with the Office Source Engine, system error: -2147023838.
Please open and look for "Office Source Engine" for information on how to resolve
this problem.

Error - 9/18/2008 10:18:28 PM | Computer Name = CUSTOMER-631DB4 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Excel Viewer 2003 - Update 'Security Update
for Office 2003 (KB954478): GDIPLUS' could not be installed. Error code 1603. Windows
Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 9/18/2008 10:18:30 PM | Computer Name = CUSTOMER-631DB4 | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Office Excel Viewer 2003 -- Error 25090. Office
Setup encountered a problem with the Office Source Engine, system error: -2147023838.
Please open and look for "Office Source Engine" for information on how to resolve
this problem.

Error - 9/18/2008 10:18:30 PM | Computer Name = CUSTOMER-631DB4 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Excel Viewer 2003 - Update 'Update for Office
2003 (KB919029): LCCWIZ' could not be installed. Error code 1603. Windows Installer
can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 9/22/2008 3:19:44 PM | Computer Name = CUSTOMER-631DB4 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3105, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/22/2008 3:21:22 PM | Computer Name = CUSTOMER-631DB4 | Source = McLogEvent | ID = 5051
Description =

Error - 9/22/2008 3:22:27 PM | Computer Name = CUSTOMER-631DB4 | Source = Application Hang | ID = 1001
Description = Fault bucket 829830123.

Error - 9/26/2008 4:16:38 PM | Computer Name = CUSTOMER-631DB4 | Source = Application Hang | ID = 1002
Description = Hanging application mainclient.exe, version 8.4.5.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/26/2008 4:18:30 PM | Computer Name = CUSTOMER-631DB4 | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/25/2008 1:40:15 AM | Computer Name = CUSTOMER-631DB4 | Source = WindowsLiveSetup | ID = 5000
Description =

[ System Events ]
Error - 8/31/2010 8:06:34 PM | Computer Name = CUSTOMER-631DB4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/31/2010 8:07:34 PM | Computer Name = CUSTOMER-631DB4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eabfiltr Fips Processor

Error - 8/31/2010 8:18:45 PM | Computer Name = CUSTOMER-631DB4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/4/2010 4:28:42 PM | Computer Name = CUSTOMER-631DB4 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/4/2010 4:28:42 PM | Computer Name = CUSTOMER-631DB4 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/4/2010 4:30:01 PM | Computer Name = CUSTOMER-631DB4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eabfiltr Fips Processor

Error - 9/4/2010 4:30:16 PM | Computer Name = CUSTOMER-631DB4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/4/2010 4:36:37 PM | Computer Name = CUSTOMER-631DB4 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/4/2010 4:40:04 PM | Computer Name = CUSTOMER-631DB4 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 9/4/2010 4:40:06 PM | Computer Name = CUSTOMER-631DB4 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 05 September 2010 - 06:41 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 06 September 2010 - 06:59 PM

Can I run this in safe mode?

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 06 September 2010 - 07:25 PM

Yes you can, if your having problems running it you could try renaming combofix to motley.exe, otherwise run it in safemode.

unite.jpg


#7 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 11 September 2010 - 11:20 AM

ComboFix 10-09-09.04 - Administrator 09/11/2010 8:53.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.101 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\enemies-names.txt
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\local.ini
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\lsrslt.ini
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\newsecureapp70700.exe
c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\upd_debug.exe
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Owner\Application Data\pacman.exe
c:\documents and settings\Owner\Local Settings\Application Data\autuoqtrh
c:\documents and settings\Owner\Local Settings\Application Data\autuoqtrh\ymcfrnxshdw.exe
c:\documents and settings\Owner\Start Menu\Antimalware Doctor.lnk
c:\documents and settings\Owner\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Owner\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Owner\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\amasafuz.dll
c:\windows\emirijan.dll
c:\windows\evofunaner.dll
c:\windows\evofunanerulat.dll
c:\windows\system32\a78ze81x.dll
c:\windows\system32\as5ulc0lg.dll
c:\windows\system32\cwxcqjw9n6.dll
c:\windows\system32\ouzuvpr60.dll
c:\windows\system32\pgar95.dll
c:\windows\system32\uvg11o4sa.dll
c:\windows\user.exe
c:\windows\winamp.exe

Infected copy of c:\windows\system32\drivers\wmiacpi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-08-28 22:21 . 2010-08-28 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-28 22:11 . 2010-08-28 22:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-08-27 12:43 . 2010-08-27 12:43 20836 ---h--w- c:\windows\wininst.exe
2010-08-27 12:43 . 2010-08-27 12:43 20836 ---h--w- c:\windows\mdm.exe
2010-08-27 12:43 . 2010-09-11 16:10 785920 ----a-w- c:\windows\system32\drivers\fxhqwl.sys
2010-08-27 12:43 . 2010-08-27 12:42 194048 ----a-w- c:\windows\Nnetua.exe
2010-08-27 12:42 . 2010-08-27 12:42 60004 ---h--w- c:\windows\avp32.exe
2010-08-27 12:42 . 2010-08-27 12:42 60004 ---h--w- c:\windows\setup.exe
2010-08-27 12:42 . 2010-09-11 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 15:30 . 2009-03-28 06:32 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2010-09-04 21:39 . 2010-09-04 21:39 2826192 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-28 22:01 . 2005-08-22 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-08-27 12:46 . 2006-07-16 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-08-27 12:34 . 2007-04-21 06:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2009-12-13 03:54 . 2009-12-13 03:54 11270 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-06-28 16680]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk
backup=c:\windows\pss\Auto run of VideoCam Suite 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 21:01 233534 -c--a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 -c--a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 02:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-01 22:11 794624 -c--a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 23:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 04:36 50688 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-19 01:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qyinobuni]
2008-04-14 00:12 73728 ----a-w- c:\windows\mse1ENeM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 12:17 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-28 00:28 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trawgd327uhf838jdfdsfdfds]
2010-08-27 12:42 60004 ---h--w- c:\windows\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MpfService"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"hpqwmi"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"bgsvcgen"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox 3.1 Beta 3\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [3/28/2007 6:40 PM 44816]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/21/2005 5:00 PM 200192]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [3/28/2007 7:24 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [3/28/2007 7:14 PM 60816]
S3 Normandy;Normandy SR2; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - fxhqwl
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u6h0gm8f.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-fyfuvsjq - c:\documents and settings\Owner\Local Settings\Application Data\autuoqtrh\ymcfrnxshdw.exe
MSConfigStartUp-hse897ifdsjf98u3heuidhfdd - c:\docume~1\Owner\LOCALS~1\Temp\z0vodoi2.exe
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
MSConfigStartUp-newsecureapp70700 - c:\documents and settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\newsecureapp70700.exe
MSConfigStartUp-wxnreacsmo - c:\docume~1\Owner\LOCALS~1\Temp\wxnreacsmo.tmp
MSConfigStartUp-XBV6RD5SZF - c:\docume~1\Owner\LOCALS~1\Temp\Nvv.exe
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 09:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fxhqwl]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1528)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-11 09:17:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-11 16:16
ComboFix2.txt 2010-01-26 23:46

Pre-Run: 15,657,332,736 bytes free
Post-Run: 15,669,035,008 bytes free

- - End Of File - - 2F65D1237ECFE9D331D804DED6BD9587


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 12 September 2010 - 01:14 PM

Peer-to-Peer Programs
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case utorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/index.php?showtopic=343582

file::
c:\windows\pss\Antimalware Doctor.lnkStartup
Collect::
c:\windows\wininst.exe
c:\windows\mdm.exe
c:\windows\system32\drivers\fxhqwl.sys
c:\windows\Nnetua.exe
c:\windows\avp32.exe
c:\windows\setup.exe
Folder::
c:\documents and settings\All Users\Application Data\Update
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trawgd327uhf838jdfdsfdfds]
Driver::
pciinfo


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Install an AntiVirus
I don't see an updated Anti Virus Program running on your machine, It is essential that you have
an Anti Virus installed and keep it updated. Without an updated Anti Virus running you are leaving
yourself wide open to infection every time you go on the internet.

These are some suggestion for a good free (non-commercial home use) Anti Virus:

Avast!
Antivir
AVG

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

unite.jpg


#9 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 13 September 2010 - 06:43 PM

here is the log. I had to run twice, the log locked up on the first time.

ComboFix 10-09-12.04 - Administrator 09/13/2010 16:21:35.5.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.96 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}
c:\documents and settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\install.rdf
c:\windows\etezavohiye.dll
.
---- Previous Run -------
.
c:\windows\avp32.exe
c:\windows\mdm.exe
c:\windows\Nnetua.exe
c:\windows\pss\Antimalware Doctor.lnkStartup
c:\windows\setup.exe
c:\windows\system32\drivers\fxhqwl.sys
c:\windows\wininst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCIINFO
-------\Service_pciinfo
-------\Legacy_fxhqwl
-------\Service_fxhqwl


((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-13 22:52 . 2010-09-13 22:52 0 ----a-w- c:\windows\Ibiqolemahedi.bin
2010-09-13 22:52 . 2010-09-13 22:52 120 ----a-w- c:\windows\Chimevegukogevu.dat
2010-08-28 22:21 . 2010-08-28 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-28 22:11 . 2010-08-28 22:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 22:25 . 2009-03-28 06:32 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2010-09-04 21:39 . 2010-09-04 21:39 2826192 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-28 22:01 . 2005-08-22 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-08-27 12:46 . 2006-07-16 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-08-27 12:34 . 2007-04-21 06:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2009-12-13 03:54 . 2009-12-13 03:54 11270 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-06-28 16680]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk
backup=c:\windows\pss\Auto run of VideoCam Suite 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 21:01 233534 -c--a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 -c--a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 02:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-01 22:11 794624 -c--a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 23:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 04:36 50688 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-19 01:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qyinobuni]
2008-04-14 00:12 73728 ----a-w- c:\windows\mse1ENeM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 12:17 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-28 00:28 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MpfService"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"hpqwmi"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"bgsvcgen"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox 3.1 Beta 3\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [3/28/2007 6:40 PM 44816]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/21/2005 5:00 PM 200192]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [3/28/2007 7:24 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [3/28/2007 7:14 PM 60816]
S3 Normandy;Normandy SR2; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/26/2009 7:04 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bi2hgpcs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bi2hgpcs.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bi2hgpcs.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=
FF - user.js: search.clsid - {8A905651-57AE-4910-B31D-16002800E269}
FF - user.js: search.sid - 15101055100
FF - user.js: extensions.newAddons - false
FF - user.js: search.clsid - {8A905651-57AE-4910-B31D-16002800E269}
FF - user.js: search.sid - 15101055100
FF - user.js: extensions.newAddons - falsec:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Gbejabafojo - c:\windows\etezavohiye.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-13 16:40:17
ComboFix-quarantined-files.txt 2010-09-13 23:39
ComboFix2.txt 2010-09-11 16:17
ComboFix3.txt 2010-01-26 23:46

Pre-Run: 15,653,126,144 bytes free
Post-Run: 15,643,164,672 bytes free

- - End Of File - - CD644026BC7176406082619D4B6045BD


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 14 September 2010 - 10:34 AM

Can you tell me how the computer is running now?


Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\mse1ENeM.dll

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/



Please navigate to the following file, then copy and paste the contents in your reply

C:\QooBox\ComboFix-quarantined-files.txt

unite.jpg


#11 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 16 September 2010 - 06:09 PM

http://www.virustotal.com/file-scan/report...9ce8-1284678187

2010-09-13 23:38:49 . 2010-09-13 23:38:50 151 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Gbejabafojo.reg.dat
2010-09-13 22:52:50 . 2010-09-13 22:52:50 5,954 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome\content\overlay.xul.vir
2010-09-13 22:52:50 . 2010-09-13 22:52:50 2,116 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome\content\_cfg.js.vir
2010-09-13 22:52:49 . 2010-09-13 22:52:50 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\install.rdf.vir
2010-09-13 22:52:49 . 2010-09-13 22:52:49 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{F9B2A8DD-D0C7-4502-8EB2-51A504343D10}\chrome.manifest.vir
2010-09-13 22:45:13 . 2010-09-13 22:45:13 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_fxhqwl_.sys.zip
2010-09-13 22:45:04 . 2010-09-13 22:45:04 74 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_fxhqwl.reg.dat
2010-09-13 22:45:04 . 2010-09-13 22:45:04 1,248 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_fxhqwl.reg.dat
2010-09-13 22:42:54 . 2010-09-13 22:42:54 2,826 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_pciinfo.reg.dat
2010-09-13 22:42:54 . 2010-09-13 22:42:54 1,230 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_PCIINFO.reg.dat
2010-09-13 22:34:47 . 2010-09-13 22:34:48 1,010,097 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-09-13_15.34.41.zip
2010-09-11 16:16:05 . 2010-09-11 16:16:05 1,446 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Flash Player ActiveX.reg.dat
2010-09-11 16:15:53 . 2010-09-11 16:15:53 584 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-XBV6RD5SZF.reg.dat
2010-09-11 16:15:53 . 2010-09-11 16:15:53 628 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-wxnreacsmo.reg.dat
2010-09-11 16:15:52 . 2010-09-11 16:15:52 762 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-newsecureapp70700.reg.dat
2010-09-11 16:15:52 . 2010-09-11 16:15:52 656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISW.reg.dat
2010-09-11 16:15:51 . 2010-09-11 16:15:51 634 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-hse897ifdsjf98u3heuidhfdd.reg.dat
2010-09-11 16:15:51 . 2010-09-11 16:15:51 698 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-fyfuvsjq.reg.dat
2010-09-11 16:02:13 . 2010-09-11 16:02:13 6,924 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_usnjsvc.reg.dat
2010-09-11 16:02:13 . 2010-09-11 16:02:13 888 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_USNJSVC.reg.dat
2010-09-11 16:01:51 . 2010-09-13 23:29:42 6,625 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-09-11 15:22:06 . 2010-09-13 23:19:56 476 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-28 23:28:14 . 2010-08-28 23:28:14 2,142 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\lsrslt.ini.vir
2010-08-28 23:27:57 . 2010-08-28 23:27:57 2,838 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\emirijan.dll.vir
2010-08-28 23:25:43 . 2010-08-27 12:44:34 1,209 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\pss\Antimalware Doctor.lnkStartup.vir
2010-08-28 22:03:01 . 2010-08-28 22:03:02 2,838 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\evofunanerulat.dll.vir
2010-08-28 21:49:36 . 2010-08-28 21:49:36 153,600 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\upd_debug.exe.vir
2010-08-28 21:38:57 . 2010-08-28 21:38:57 2,838 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\evofunaner.dll.vir
2010-08-27 12:46:43 . 2010-08-27 12:46:44 2,838 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\amasafuz.dll.vir
2010-08-27 12:44:37 . 2010-08-27 12:44:37 1,175 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk.vir
2010-08-27 12:44:00 . 2010-08-27 12:44:00 20,836 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\winamp.exe.vir
2010-08-27 12:43:59 . 2010-08-27 12:44:00 2,227 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk.vir
2010-08-27 12:43:58 . 2010-08-27 12:43:58 20,836 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wininst.exe.vir
2010-08-27 12:43:55 . 2010-08-27 12:43:55 20,836 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\mdm.exe.vir
2010-08-27 12:43:51 . 2010-08-27 12:43:52 1,209 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk.vir
2010-08-27 12:43:51 . 2010-08-27 12:43:51 1,197 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Antimalware Doctor.lnk.vir
2010-08-27 12:43:45 . 2010-09-13 22:47:00 785,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\fxhqwl.sys.vir
2010-08-27 12:43:41 . 2010-08-27 12:42:39 194,048 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Nnetua.exe.vir
2010-08-27 12:43:16 . 2010-08-27 12:41:59 265,216 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\autuoqtrh\ymcfrnxshdw.exe.vir
2010-08-27 12:43:09 . 2010-08-27 12:43:09 28,842 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\enemies-names.txt.vir
2010-08-27 12:43:09 . 2010-08-27 12:43:10 26,602 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\local.ini.vir
2010-08-27 12:42:54 . 2010-08-27 12:42:54 20,836 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\user.exe.vir
2010-08-27 12:42:53 . 2010-08-27 12:42:53 60,004 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\avp32.exe.vir
2010-08-27 12:42:36 . 2010-08-27 12:42:37 60,004 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\setup.exe.vir
2010-08-27 12:42:17 . 2010-08-27 12:42:17 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ouzuvpr60.dll.vir
2010-08-27 12:42:12 . 2010-08-27 12:42:33 1,063,424 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\C7048B40205674837F9C6A562DA6114F\newsecureapp70700.exe.vir
2010-08-27 12:42:04 . 2010-08-27 12:42:04 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\as5ulc0lg.dll.vir
2010-08-27 12:42:02 . 2010-08-27 12:42:03 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pgar95.dll.vir
2010-08-27 12:42:00 . 2010-08-27 12:42:00 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cwxcqjw9n6.dll.vir
2010-08-27 12:42:00 . 2010-08-27 12:42:00 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uvg11o4sa.dll.vir
2010-08-27 12:42:00 . 2010-08-27 12:42:00 30,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\a78ze81x.dll.vir
2010-08-22 12:50:12 . 2010-08-22 12:50:12 315,195 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Update\seupd.exe.vir
2010-08-22 12:47:08 . 2010-08-22 12:47:08 2,074 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir
2010-01-02 19:23:49 . 2010-01-02 19:23:49 2,450 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\pacman.exe.vir
2005-08-21 16:08:21 . 2008-04-13 18:36:38 8,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\wmiacpi.sys.vir
2004-08-04 12:00:00 . 2008-04-14 00:12:08 200,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\etezavohiye.dll.vir


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 17 September 2010 - 09:33 AM

Can you tell me how your machine is running and if you are having any more problems?


When you run combofix it will ask you to upload some files, please let it do so.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collet::
C:\Qoobox\Quarantine\[4]-Submit_2010-09-13_15.34.41.zip
c:\windows\mse1ENeM.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qyinobuni]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:10 AM

Posted 23 September 2010 - 12:51 PM

Due to the lack of feedback this Topic is closed.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users